Node/Admin Certificates no longer work after upgrade to ES 7.7.0 from 7.3.2

We recently upgraded our Elasticsearch Stack to use OpenDistro 1.8.0 with Elasticsearch 7.7.0 from OpenDistro 1.3.0 with Elasticsearch 7.3.2. Before the upgrade, we used version 3 node and admin certs with Subject Alternative Name and some SAN settings. After the upgrade to 7.7.0 the certs no longer are able to be parsed and give the following error:

Caused by: java.security.cert.CertificateParsingException: signed fields invalid
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1827) ~[?:?]
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:192) ~[?:?]
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105) ~[?:?]
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.support.PemKeyReader.loadCertificateFromFile(PemKeyReader.java:215) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initTransportSSLConfig(DefaultOpenDistroSecurityKeyStore.java:360) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:247) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:168) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:197) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:229) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.node.Node.<init>(Node.java:321) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.node.Node.<init>(Node.java:264) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.7.0.jar:7.7.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.7.0.jar:7.7.0]
        ... 6 more

Removing the old certs and using the v1 demo certs fixes this error. I did not change the original certs in any way so I do not think it is a problem with the signed fields in the certs. This may be related to https://github.com/elastic/elasticsearch/issues/32021 but I am not sure. The config file for elasticsearch also did not change and is as follows:

action.auto_create_index: true
cluster.initial_master_nodes:
- x.x.x.x:9300
- x.x.x.x:9300
- x.x.x.x:9300
cluster.name: elasticsearch
discovery.seed_hosts:
- x.x.x.x:9300
- x.x.x.x:9300
- x.x.x.x:9300
- x.x.x.x:9300
network.host: 0.0.0.0
node.data: true
node.ingest: false
node.master: true
node.name: ${HOSTNAME}
path.data: /data/elasticsearch/shard_data
path.logs: /var/log/elasticsearch

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.config.disabled_rest_categories: AUTHENTICATED, OPENDISTRO_SECURITY_INDEX_ATTEMPT
opendistro_security.audit.config.disabled_transport_categories: GRANTED_PRIVILEGES
opendistro_security.audit.ignore_users:
  - kibanaserver
opendistro_security.audit.config.index: "security_logindex"

opendistro_security.ssl.transport.pemcert_filepath: host1.pem
opendistro_security.ssl.transport.pemkey_filepath: host1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: host1.pem
opendistro_security.ssl.http.pemkey_filepath: host1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.http.clientauth_mode: OPTIONAL
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=clienthost-admin,<omitted>

opendistro_security.nodes_dn:
  - CN=host1,<omitted>
  - CN=host2,<omitted>
  - CN=host3,<omitted>
  - CN=clienthost,<omitted>
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

The root-ca.pem file has also been added to the Amazon Corretto 11 Java truststore. Can someone please help me understand what might be going on?

Hi :wave:t3:

We do not support this project here. It has its specific forum AFAIK.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.